На страже ваших денег и данных

Editor's Notes

• #2: Good afternoon. Thank you for inviting us to PHDays 2017. We are going to introduce you to integrated platform which automatically collect and analyze malwares to offer certain information. Our subtitle ‘Malware B to D’ is coming from “Observation of Malware; From Birth to Death.” Ok. Let’s begin the actual presentation now.
• #3: I am Young Hak. Lee, Senior Security Researcher in Blackfort security. I mainly research on Automatic Analysis for Malware. Hopefully this presentation is very useful to all of you.
• #4: Is there anyone who knows what Merkava is? The Merkava is a main battle tank used by the Israel Defense Forces. You can see it has quiet unique device attached on the front, in this picture. This device is a mine clearing equipment. The name of our integrated platform, Merkava is based on this battle tank. Like the battle tank, Merkava is clearing mines, our platform, Merkava will clear malwares which we can say as mines in software system
• #5: The integrated platform Merkava is divided into two projects. The first one is malware collecting system development project, which is called Threat Insight. And the other one is malware analyzing system development project, which is called Malware Analyst. First of all, we are going to introduce you to the malwares collecting technology of Threat Insight system.
• #6: This article is from one of the Korean news reports in December 2015. The article is talking about Drive-by Download method using Angler exploit kit.
• #7: This one is from last year 2016 January. At that time, Master boot record infection was spread by using Drive-by Download method, not using the Ransomware. Its attacking technique is same but the malware itself is totally differ from the Angler exploit kit.
• #8: This article is from 2016 February. It is surprisingly talking about the spread of new type of malware which is aiming to steal the electronic money; Bit coins, using Drive-by download method. As you can see, malwares are spread through whole world wide websites by using Drive-by download attacking technique consistently. The purpose of Threat Insight is to detect Drive-by Download threats beforehand.
• #9: Here, we defined the life cycle of Drive-by Download attacks according to the cases we’ve shown so far.
• #10: Malware creator needs authority to modify the certain web page’s source code for spreading malwares on the website. The creator hacks webserver which has weak points to get authority
• #11: After obtaining authority for website modification, they inject malicious script into the webpages. Most of the cases, they inject malicious into the first page, but recently we find some malicious injections in certain other pages.
• #12: These obfuscated malicious script pages which are injected into website, are the certain pages that have exploit kit, and they redirect the pages to certain other pages. This is to make the pages move via several other websites, so we cannot easily acknowledge or find traces of attacks. Unperceived redirection is the key point.
• #13: Redirected page has exploit kit in it. Various 3rd party libraries or exploits start attacking when it matches with their already set conditions of target
• #14: If the exploit has ran successfully, malware is downloaded and executed covertly. According to this process ransomware can be installed, bit coin can be stolen or MBR can be infected.
• #15: However these malwares don’t have long lives since either security equipments detect them or security administrator detect and delete them. Then what can Merkava platform do more other than that?
• #16: The one of two types of Merkava platform, Threat Insight, detects and collects Exploit Kit, suspicious website re-directions and malicious code injections. Once the collection process is done, Malware Analyst analyze the malwares
• #17: Threat Insight has 5 different crawlers. URL crawler which collects new website URLs. Country crawler emulating Java scripts from certain website’s URL from other countries for analyzing. Blacklist crawler which checks and analyzes malwares injection history from URLs. Warning crawler analyzing potential website URLs that possibly can inject malicious codes. And the last is Dynamic crawler which directly accesses and analyzes from web browser in virtual machine environment that is made up just like actual user’s PC
• #18: This is one of the examples of analyzing cases. Threat Insight could detect suspicious redirecting actions and malicious code injections from this website URL. It was typical trojan horse malwares using CK VIP Exploit Kit.
• #19: Here is another example. Malware was injected into this college website. The interesting thing is this malware has bypass computer vaccine feature so it could neutralize certain function of the product from one of the security companies
• #20: And the last example is here. The malware, here, has different name of it but effects of it were mostly the same with the prior one, so we could assume that the attacker could be the same one from the other case. We will go though more on the malware next part. Let move on to Malware Analyst
• #21: This Malware Analyst is malware analyzing system. It analyzes malware using real time memory analyzing feature not like SandBox system
• #22: The overall structure of Malware Analyst is like this. Malware Analyst saves malwares in database from Web interface or API. And then Scheduler checks the storage of new data and orders simultaneously to run virtual machine. Then the communication between scheduler and Analyzer in the virtual machine starts
• #23: Analyzer monitors the changes of malwares memory and registry, file generations in virtual machine. When it detects memory changes, Memory Analyzer sends signals to analyze the memory and records the log on the file
• #24: Memory Analyzer compares and analyzes malwares with clean memory data according to the analyzing request from Analyzer engine. Then it draws results of diff
• #25: Log Analyzer analyzes log files that is generated after malware execution is done. It generates data to show processing treemap and timeline graph using parsing logs value after analyzing parameter value of called functions
• #26: Network Analyzer interrupts communication between malware and C&C server to analyze it. This engine has a proxy feature so that can analyze encrypted communication as well.  
• #27: Lots of researchers tried / to find the solutions / from analyzing memory / to defend against those codes like we mentioned. It’s because / the memory is / the place where you load the code whatever level you are dealing with. Either you are packing, / coding, / or encrypting the code, / you have to load the code somewhere in Memory. If automatic analyzing system can find the analyzed code automatically / and let the researchers knows, / it can help / the researchers analyze failed analysis / or some c&c server disconnection problem directly / by themselves. Also if we can figure out / the malware injection process / in memory, we can analyze / injected malicious code accordingly. We can detect / Operating system changes as well. We can analyze / how the malware affect / the OS though the memory analysis.
• #28: Memory Analyzer is using Libvmi and Volatility. It commands analysis, processes analysis, threads analysis, and analyzes networks, services, MBR and drivers. Let me tell you why we choose to use libvmi and volatility.
• #29: Before we explain why, / I will tell you / what libvmi is. Libvmi is / a virtual library / that can contact / Virtual machine memory / and makes it possible to read / or write data in real time. Because / different virtual softwares have / different memory structures we made libvmi supports / two different virtual environments / which is KVM environment / and XEN environment. The system that / we were talking about earlier, / drakvuf uses / Xen / because of this different memory structures. Our system uses / KVM. Even it only supports / certain memory structures / it has / a merit / can make you forget about these difficulties. If you can control / the memories / in real time / you don't have to / worry about the Capacity of storage / or the time for dumping and analyzing. And since it controls / memories directly / according to the transition / we can have / reliability of memories. That means / we also can have / reliable analysis results
• #30: The reason we use volatility is that we can analyze directly with libvmi accordingly. Plus memory forensic wise, it is open source project.Based on these factors plus the fact that is memory analysis focused framework for unpredictable incidents we could develop it as our needs
• #31: Now I'll tell you about the functions of memory analyzer. The first is commend Analysis.
• #32: This function developed / after the consideration of cmdscan, / consoles shellbags functions of volatility. If you run programs / through CMD shell / in Windows systems it records memory history. It's same principle / finding command history / from Console information structure / based on consoles handle in windows XP. In Windows 7 and after Versions, / it finds / commend history / from console information / based on console information. The dir part of the picture on the right shows / you / command history. This function is good / for checking the histories / of windows basic commands. Also windows XP windows seven / both of them find screen information / from console information structure / in a Same Way. Only command history has switched / to screen information. The difference between screen information / in command history is that / screen information has / results of dir order / like the bottom of picture / on the right. So you can find / the result I/O data / for the certain commands. We class / the principle of shell bags / as command analysis because / it is able / to find network share / or share folder location / or installation through Windows Explorer.exe registry / based on Ntuser.dat & UsrClass.data.
• #33: Next is process Analysis.
• #34: I'm going to talk about / certain Authority / in process analysis. In the Windows system / if you don't have / authority / certain commend can't be done. For example / when you use PowerPoint / if SeLoadDriverPrivilege is open / to everyone, / is it OK? If MS office load driver? / Doesn't sound very OK. From this / we can assume / either MS office got injected / some malicious codes / or binary got infected / by malicious codes. Like this / if there are / unnecessary(언네스서리) processes we think / that something is going on. Here is the list of the authorities that / we have to / pay attentions. The first is / SebackupPrivilege. This authority / let you read files / regardless of system access control list / which is called / ACL. In other words / malicious codes can copy / and read locked files. The next is / sedebugprivilege. This let you to read / or write in other process memory space. This authority can let malicious codes / to neutralize security / in general process. Generally in user mode / all the malicious codes / which injects Codes use / this Authority. So if this authority is vitalized / for malicious codes we can definitely assume that / code injection was happened. Next authority is / se load driver privilege. This authority let you load / or unload Kernel drivers. If malicious codes has / this authority we can assume that / it is trying to run kernel level root kit / or upload a driver. Next is / SE change notify privilege. This authority let you to register certain file / or directory change callback function. It also let malicious code / to control the installation / or uninstallation of file / by user or security system. The last authority is / SE shut down privilege. Usually vicious malicious codes use / this authority often / to damage master boot record / like bootkit. In our system based on the volatility privs function, / we compared main authorities / with white list / sto obtain the results.
• #35: Next shows the results of Process analysis. Windows Kernel uses linked list to keep process list. Mostly scans linked list to obtain processing information, but the weak point of it is that in case the malware sever or manipulate the link on purpose it is impossible to find the processing information.
• #36: Our system scans differently to prevent this weak point, it scans Pool other than the linked list. Even the link has been severed or manipulated and closed, if it can scan Pool we are able to fine processing information. Also it is able to identify completion process if it identifies scanned pool as a freed memory.
• #37: The principle of this function is to find PE header and scan IMAGE DOS HEADER from Kernel Memory. When memory dumps are executed on the point of malicious process change, it is able to identify unpacked or unencrypted codes by malware. Our system scans malware and executes dumps every memory changing points. At the end dump binary shows the results as shown on this slide.
• #38: Between these two images the one on the left is the full flow chart of binary when you try to analyze citadel malware using IDA Pro. There is not many functions, also those are not even connected to malicious activity. The image on the right is unpacked binary flow chart using malware analyst. From flow chart to number of functions there is clearly the differences.   And even can find codes which supports the analysis
• #39: Now these images are for Tesla ransomware. Tesla ransomware got quite popular recently, it uses a few different methods to interrupt analysis. The image on the left shows you entry point and function of Tesla ransomware. Even the number of the functions and entry point structure is weird. Image on the right shows you unpacked binary flowchart and function using malware analyst. The number of functions and flow chart looks different.
• #40: So far this is it for process analysis. Now we are going to talk about thread analysis
• #41: Some people ask like / “why do we need thread analysis?”  The reason that / Malware Analyst analyzes / Threads is because / Rootkit uses / Orphan Threads. Orphan Thread is / the unknown module address of start address / for Thread. For example, / when Rootkit is loaded / at the beginning, / Rootkit assigns / Kernel Memory Pool / and then copies the code of Memory Pool / to make / and run new code Block. After the Threads are created / when the modules are uploaded / the Rootkit / can be hidden / since it is based on / the Thread runs by / Pool which is not tagged / in memory. This kinds of Rootkits are / Mebroot / and Tigger. The picture on the bottom of right, / shows / Orphan Thread / from defected system memory / by tigger. Like you can see from the picture, / it is System Thread / and Orphan Thread / at the same time. The start address which / includes unknown module address shows that / it is an Orphan thread. This Analyzing Method is / pretty efficient(어피션트)/ but / it has weak points as well. Like we mentioned earlier, / The Rootkit can hide / by changing start address / as already existed module.
• #42: Orphan Thread is identified by memory change sensor. The sensor detects changes in memory and send a signal to analyzer to scan double linked list simultaneously for recording base addresses and sizes of loaded modules. And then it compares ETHREAD structures and start address from memory with previous module addresses. If the Start Address of certain thread is not existed within the address range of loaded module, it is an Orphan Thread.
• #43: Now, let's talk about Network Analysis
• #44: Even there is / separate Network Analyzer, / Malware Analyst analyzes / network information / by itself / in Memory. The reason is that, / in case network analyzer follows / protocol which / can't be interpreted, or communicate with Local Loopback Socket (127.0.0.1) Network Analyzer is not be able to detect / codes properly. To resolve this problem, / we developed / additional function that's collecting left over network information in memory. We have to distinguish(디스띵구이시) / the ways collecting network information / between Windows XP / and the version after windows vista. Before the explanation, / we inform you that / this presentation about ADDRESSOBJECT and TCPTOBJECT structures is not based on / official document / from Microsoft. This is based on / the private Reverse Engineering analysis by other hackers.
• #45: In windows XP, Malware Analyst finds / ADDRESSOBJECT start pointer which / stores AddObjTable or TCBTABLE which / stores TCPTOBJECT start pointer. When ADDRObjTable is detected / in memory, NEXT tracks ADDRESSOBJECT linked List / from 0 to Entry continually. TCPTOBJECT as well. When TCBTABLE is detected / in memory, NEXT tracks TCPTOBJECT linked List / from 0 to Entry continually. You can check / the graph / on top of the right which / shows / the difference between those two. AddrObjTable is / for searching results of socket, / and TCBTable is / for searching results of connection. In other word, / the socket from before the connection only appears / on AddObjTable, not on TCBTable. This function is based on / sockets / and connections abilities of Volatility.  All the details we went through just now / works only / in Windows XP. It's because / for the versions after Windows Vista, / Microsoft introduced new TCP/IP stack. It is a backtracking output data from Netstat.exe. It uses the fact that Netstat.exe is only active in live system. After it locates / authority of output data, / starts Pool researching / to find TCPENDPOINT, TCPLISTENER, UDPENDPOINT. Sometimes it fails / approaching the information. That's because / it stores IP address as a pointer / not like windows XP storing actual IP address / in structure. It fails / locating memory space / for pointer value during memory assigning process. This is based on / Netscan function of Volatility. But then / we don't have to concern about it / because our system cooperates with / separate network analyzer.
• #46: Next is Service Analysis presentation.
• #47: The reason for analyzing service memory is that's quiet complicated to find hidden service records even though the service can be created by registry and window command queries.
• #48: As sErv tag and serH tag are found / in services.exe of Kernel memory Memory analyzer finds / service records / in memory. There sErv tag and serH tag are / Service header structure which / searches service records. Service record is / a pointer of the first service record. Service record let you know, / service name, / display name, service type, service status / and binary path. The picture on the bottom of left is / the service data from memory analysis. The picture in the middle is / the data / from registry, and the picture on the right is / the value from service control manager. You can see / these are same values. This function is based on / svcscan ability from volatility. Our system doesn't collect / information from every services. It only collects / information / from the services which / has been newly created or transited.
• #49: Next is MBR Analysis
• #50: Let me tell you about principles of MBR analysis. The memory analyzer searches memories which have the value of 0x55, 0xaa in kernel memory. Once it finds the memories, it compares ending value of the memories with partition table structure. If they matches, the ending parts are the MBR data. This function is based on mbrparser ability of Volatility. Our system shows the result only in case MBR has been changed, it doesn't run a test for MBR.
• #51: It was presentation for MBR analysis. And now we will talk about Driver analysis. This function is for malicious Rootkit in Kernel level. In general our system is not active for this function, once it detects activity of malicious codes in kernel level, the system runs. So, you cannot see the history of the activities of malicious code in user level on result page.
• #52: Generally Driver Analysis has / 4 different functions. These are / the function / to check tree structure of driver, / function to search / drivers which are newly generated, / function to collect / the information for driver IRP, / and the function to detect fro call backs.   We will going to start with / driver IRP first. Driver IRP was created / for the communication between driver / and applications / in windows. IrP includes / integer / for necessary operation like / "create, read, and write" / and buffers for data reading / or writing by driver.  Every drivers have / registers; / 28 function pointer tables / for different operations. Driver always sets / main function tables / or IRP tables / to init routine after loading. That's to say, / it is possible that / Rootkit intercepts / certain activity as it overwrite IRP table. The picture on the bottom shows / you the results of driver IRP analysis / when Rootkit is active. You can see IRP_MJ_Create is / overwritten. That is Rootkit interception.  Generally hackers show / interests in IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_DEVICE_CONTROL. This function is based on / driverirp ability / from Volatility. And it is possible / to sample IRP information from our system driver
• #53: The second function is that shows you classification structure of driver. Windows uses classification structure to process the I/O request. Multiple drivers process same IRP. What if Rootkit is located under normal driver? To receive logs or editable IRP copies before normal driver gets them, Rootkit locates itself right under original driver in classification structure. This picture shows you that Rootkit is running even it's not really located under keyboard, network or disk driver in driver classification structure. This function is based on devicetree ability from Volatility.
• #54: This function is based on devicetree ability from Volatility. The third function is to search new drivers. The function searches Driver IRP data from Kernel memory and brings driver name and display name from the data. It finds newly created driver after the comparison between original white list and obtained list. Our system provide driver by dumping in memory.
• #55: The last function of driver analysis is "Callback". The "Callback" is very important because it can make a result like "hooking". Let me tell you how it works and what it does. Please refer the graph. The first "Callback" is for the beginning and ending of process. It can be installed as PSSETCREATEPROCESSNOTIFYROUTINE API. Also Rootkit uses this "Callback" while it monitors the process.  Second "Callback" is for the beginning and ending of thread. It can be installed as PSSETCREATETHREADNOTIFYROUTINE API. Rootkit also uses this "Callback" while it monitors the thread. The third "callback" is for image mapping like process, library or Kernel module.  It can be installed as PSSETLOADIMAGENOTIFYROUTINE API. Rootkit uses this "callback" to interrupt investigating utility do that can make itself unnoticeable. The forth "callback" is to detect registry transitions. It can be installed as cmregistercallback (xp) or cmregistercallback(vista later) API. Rootkit uses this "callback" to detect registry modification so it can protect itself. And the last "callback" is for Bug checking. It's called out when the bug is discovered without exception handling. It is installed as KeRegisterBugCheckCallback or KeRegisterBugCheckReasonCallback API. If an exceptional Rootkit without exception handling occur BSOD, it uses this "callback" to erase its information and leave dumping history.  Actually there are more "callbacks" other than these 5 callbacks
• #56: The two projects we have been talking here are the Merkava platform.
• #57: Overall structure of Merkava platform is shown here. Malwares that are collected in malware spreading center detection system, are recorded orderly on the malware analysis database by MA API. MA executes analysis of malwares on the database record. If there is additional analyzing requests from malware spreading center detection system, the spreading center information will be shown on the analysis report separately.
• #58: This is a result capture of analysis by MA for collected malwares from TI system. You can see signature information and timeline of malware and spreading center information as well.
• #61: This is also one of the results which shows you signature information, network information and spreading center information.
• #65: Thank you for your participation of this long presentation. If you have any other questions, please feel free to reach at my email. I will do my best to answer to your questions. Thank you.